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EXAMINER'S ANSWER 



This is in response to the appeal brief filed 02/01/05. 
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(1 ) Real Party in Interest 

A statement identifying the real party in interest is contained in the brief. 

(2) Related Appeals and Interferences 

A statement identifying the related appeals and interferences which will directly affect or 
be directly affected by or have a bearing on the decision in the pending appeal is contained in the 
brief 

(3) Status of Claims 

The statement of the status of the claims contained in the brief is correct. 

(4) Status of Amendments After Final 

The appellant's statement of the status of amendments after final rejection contained in 
the brief is correct. 

(5) Summary of Invention 

The summary of invention contained in the brief is correct. 

(6) Issues 

The appellant's statement of the issues in the brief is correct. 

(7) Grouping of Claims 

The rejection of claims 1-9, 17-29, and 37 stand or fall together because appellant's brief 
does not include a statement that this grouping of claims does not stand or fall together and 
reasons in support thereof See 37 CFR 1 , 192(c)(7), 

(8) Claims Appealed 

The copy of the appealed claims contained in the Appendix to the brief is correct. 

(9) Prior Art of Record 
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6,205,480 Bl 



Broadhurst 



3-2001 



6,324,648 Bl 



Grantges 



11-2001 



(10) Grounds of Rejection 

The following ground(s) of rejection are applicable to the appealed claims: 

Claims 1, 21, and 37 are rejected under 35 U.S.C. 103. This rejection is set forth in a 

prior Office Action, mailed on 10/21/04 and included below. 



The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 



Claims 1-38 are rejected under 35 U.S.C. 103(a) as being unpatentable over Broadhurst 
etal (6,205,480 81). 

In reference to claims J, 21, and 37, Broadhurst discloses a system, method, and 
computer program product for processing data for providing access to resources within the data 
processing system (abstract), the method comprising the data processing system implemented 
steps of 

Receiving a request from a requestor to access a resource in the data processing system 
(Fig. 2 part 100). 

Sending a first cookie to the requestor in response to the request, wherein the cookie is 
used to access the resource (Fig. 2 part 108). 



Claim Rejections - 35 JJSC §103 
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The system is responsive to receiving a second cookie from a source, comparing an 
identification of the source and the second cookie with the stored identification and the 
credentials to determine whether the second cookie contains the same information as the first 
cookie and whether the second cookie was received from the particular data processing system; 
and responsive to a match between the identification of the source and the second cookie and 
stored identification and the stored cookie, allowing access to the resource (Fig. 2 part 1 12 and 
1 14 in combination with column 4 lines 42-60). The system allows access depending on the 
authentication information therefore responsive to a match between the identification of the 
source and the second cookie and the stored identification and the stored credentials. 

Although Broadhurst does not expressly disclose storing the cookie, Broadhurst discloses 
storing the credentials that can be formed into a cookie (column 3 Unes 41-48). The user's 
identity is used to form a network credential (column 4 lines 20-25). 

At the time the invention was made, it would have been obvious to a -person of ordinary 
skill in the art to use the credentials to create the cookie. One of ordinary skill in the art would 
have been motivated to do this because this is used in the authentication scheme which allows a 
user to access numerous protected resources with a single authentication procedure (column 2 
lines 42-48). 

In reference to claim 17^ the claim is rejected as in the rejection for claim 1, in addition 
the system includes a database of credentials (column 3 lines 61-65) which performs that 
Sanction of the cache. 

In reference to claims 2 and 22 wherein access to the resource is allowed by accepting 
the second cookie (Fig. 2 part 1 14 column 3 lines 10-15). 
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In reference to claims 3 and 23, wherein the system comprises: rejecting means, 
responsive to an absence of a match between the identification of the source and the second 
cookie and the stored identification and the stored cookie, for rejecting the second cookie 
(column 4 lines 59-60). Access is granted depending on the authentication information obtained, 
as a result if the person is not authentic then access is not permitted. 

In reference to claims 4, 9, 19, 24, and 29, wherein the resource is a file and the first 
cookie identifies disk location of the file. Broadhurst discloses the resource being an application. 
An application is a program designed to assist in the performance of a specific task, and a 
program is a file therefore the browser in the system of Broadhurst is requesting access to a file. 

In reference to claims 5, 14, 25, and 34, wherein the source is a web server (Fig. 1 part 

12). 

In reference to claims 6 and 26, wherein the storing means for storing an identification of 
the source and the first cookie to form a stored identification and a stored cookie comprises: 
storing means for storing the identification of the source and the first cookie in a cache (column 
3 hnes 42-45). The credentials are stored in a database that performs that function of the cache. 

In reference to claims 7 and 27, z. system wherein the identification of the source is 
Internet protocol addresses (column 3 lines 1-15). 

In reference to claim 20, wherein the identification of the requestor and the identification 
of the source are Internet protocol addresses. 

Although Broadhurst does not expressly disclose the identification of the source and the 
requestor as being Internet protocol addresses, Broadhurst does disclose that the network is a part 
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of the Internet thereby making the identification of all participants in the communications have 
IP addresses. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use IP address as identification for the source and requestor. One of ordinary 
skill in the art would have been motivated to do this because IP addresses are the means of 
identifying devices on the internet. 

In reference to claims 8 and 28, wherein the receiving means, sending means, storing 
means, comparing means, and allowing means are performed in a browser (Fig. 1 part 14), 

Claim 18 is rejected under 35 U.S. C. 103(a) as being unpatentable over Broadhurst as 
appUed to claim 17 above, and further in view of Grantges (6,324,648 Bl). 

Broadhurst does not expressly disclose the requestor is a server. 

Grantges discloses a system that use authentication cookies wherein the cookies are 
redirected by a server to the correct server therefore making the server the requestor on behalf of 
the web browser (column 1 1 line 63 to column 12 line 10). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to send the request from the server to the web server as in Grantges in the system 
of Broadhurst. One of ordinary skill in the art would have been motivated to do this because the 
proxy server provides a buffer security to the internal network. 



(11) Response to Argument 
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The appellant argues that Broadhurst does not disclose storing and comparing both an 
identification of the requestor and an associated cookie. 

In reference to the storing and comparing of the identification. The system of Broadhurst 
discloses a process for authentication that uses X.509 certificates (column 4 lines 6-19). 
Wherein the X.509 is the specification for the implementation of digital certificates and 
certificate revocation. This specification details the information that is required in a valid digital 
certificate. Therefore the system compares the user's identification that is provided in the 
certificate. It follows that the system stores user's identification with which to compare it to. 
Broadhurst teaches that the initial authentication procedure is performed, and is accepted by the 
server to establish a user identity to the server. This is clear that, the process by which the 
system vaUdates a user's logon information. A user's name and password (or in this case the 
certificate is used for identification) are compared against an authorized Ust and if the system 
detects a match, access is granted to the extent specified in the permission list for that user 

In reference to the stored cookie, in the office action mailed out on 10/21/04 the examiner 
pointed out the modification necessary to Broadhurst in order to store the cookie and why it 
would be obvious. The rejection states: 

. . Ahhough Broadhurst does not expressly disclose storing the cookie, Broadhurst discloses 
storing the credentials that can be formed into a cookie (column 3 Unes 41-48)." 
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This indicates that even though the information for the cookie does not take the form of a cookie 
it is indeed stored in the directory. This makes the information, required to form the cookie, 
available for transforming into the more identifiable form of a cookie. 

Further more Broadhurst discloses receiving the cookie in order to access the resource. This was 
stated in the office action maild on 10/21/04. 

"... Sending a first cookie to the requestor in response to the request, wherein the cookie is used 
to access the resource (Fig. 2 part 108)." 

After receiving the above-mentioned cookie, the system of Broadhurst compares the cookie to 
the information stored in the directory (this is the above mentioned information that is used to 
create a cookie) during the process of authentication (Fig. 2 part 1 12 and 1 14 in combination 
with column 4 lines 42-60). 

The appellant argues fiirther that Broadhurst does not provide a motivation to modify because 
Broadhurst requires only a valid cookie for validation. The examiner directs attention to Fig. 2 
wherein the steps for authentication comprise both the authentication using the user ID (Fig. 2 
parts 100-102) and a valid cookie (Fig. 2 parts 112-114). Even if Broadhurst did not store user 
identity and cookie, Broadhurst does carry out authentication using the user identity and cookie 
and therefore able to store this information. 
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In reference to Broadhurst not mentioning the possibility that an external system could attempt to 
intercept a cookie and use it to attack or gain information from the issuing computer. The 
appellant does not include this in the claim language. Even if it was included in the claim 
language, there are other uses for cookies for authentication. The use that is disclosed by 
Broadhurst is for allowing a user to be easily automatically, and transparently authorized to 
access, via a web server, a plurality of appUcation (column 2 lines 14-20). 

The appellant asserts that Broadhurst' s invention is particularly advantageous in an intranet 
environment. The appellant noted that when working in an intranet one is protected by firewalls 
from the malicious mischief preset on the Internet. The examiner brings attention that the 
advantage of the system does not discount the use in the Internet. Even if this was the case 
malicious mischief exists within the intranet and therefore protection is required, for example 
from disgruntled and dishonest users. 

Although the appellant discloses that Grantges does not disclose the requestor is a server. The 
examiner would like to redirect attention back to Broadhurst who discloses user inputs a request 
to access additional resources which may be associated with the user's initial server or a new 
server in the network (column 3 lines 49-67). Thus, Broadhurst teaches that the requestor maybe 
a server. Therefore providing the direction to a proxy server as in Grantges. Further the 
Grantges reference discloses the proxy server creating a request (column 6 lines 47-5 1). In 
addition, the appellant asserts that a cookie is given to a server, rather than to a browser. This is 
not persuasive because although claim 18 does not claim the server receiving the cookie, a proxy 
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in the system of Grantges stands between the server and the browser and therefore saves and 
receives the cookie while mapping it to the identity of the browser. 



For the above reasons, it is believed that the rejections should be sustained. 



Respectfully submitted, 



PWK 

May 12, 2005 

WMVU 

Conferees a . SUPERVISORY PATENT EXAMINER 

KimVu p/c< TECHNiOLOGY CENTER 2100 
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